[prev in list] [next in list] [prev in thread] [next in thread] 

List:       racf-l
Subject:    Re: r_admin some addition information ...
From:       scott Ford <idflist1 () GMAIL ! COM>
Date:       2020-02-26 18:21:03
Message-ID: CA+K=n16z0hQZb58EhS4H7cLBGCuvRV2DrO0NxuPy+U9STg-q3Q () mail ! gmail ! com
[Download RAW message or body]

Bruce:

Is there a suggested or proper way to run as an elevated privilege ? For
example if I wanted to be able to perform human center site RACF admin (
being they can do just about any RACF function ).
I saw the APAR oa56851 , is this APAR intending to assist in this type
function. What I am trying to do is make sure the methodology we use to
perform RACF provisioning (I still feel this is an odd term)
will be safe and secure. We accept requests from an LDAP server and then we
go thru the logic of determining if the overview message is good and then
pass to RACF. I realize I have asked a lot of questions
but I cant attend SHARE where IBM and a lot of folks here do presentations.
I usually download the presentations and review. New techniques to me are
import for secure functionally.

Regards,
Scott

On Tue, Feb 25, 2020 at 1:35 PM scott Ford <idflist1@gmail.com> wrote:

> Bruce:
>
> Yes sir I agree. I would prefer the STC being ran under the SPECIAL userid
> and then call R-admin , this is
> much simpler for us to support. You provided much food for thought for me.
> Sorry I sorely miss the PLMs of years gone by.
> I used to use them a lot. A great overview of how various components
> worked. Talking early 1980s ..
>
> Once again a big thx. Much appreciated.
> Regards,
> Scott
>
> On Tue, Feb 25, 2020 at 1:16 PM Bruce Wells <brwells@us.ibm.com> wrote:
>
>> scott Ford <idflist1@GMAIL.COM> wrote on 02/25/2020 12:32:14 PM:
>>
>> >
>> > Thank you for the explanation , very helpful.
>> > But this begs another question:
>> >
>> > My issue with the customer request is that the Started Task we wrote
>> > initially was written to run with SPECIAL so it could
>> > perform any RACF function. Because of security concerns, we were asked
>> to
>> > run our STC as a generalized userid instead of having SPECIAL coded.
>> > So how we designed it with a tad of help was to pass a userid (IDFAGNT)
>> to
>> > the code snippet I provided earlier. This of course
>> > was working and is working , but once I pull MODE=SUP from the IRRSEQ00
>> > call and run in problem mode how do I handle being
>> > able to perform SPECIAL functions without being in MODE=SUP ? This is
>> where
>> > I am confused. I don't obviously want to jeopardize any customers's
>> system.
>> > The point is to provide them the full SPECIAL functionally without
>> being
>> in
>> > MODE=SUP.
>> >
>> > Any suggestions and or comments are always welcome.
>> >
>>
>> Scott,
>>
>>  You seem to just be punting the SPECIAL requirement to your run-as user
>> ID (presumably also PROTECTED), so I don't see how this is any more
>> 'Least
>> Privilege' than simply running the started task directly as SPECIAL. And,
>> by using the run-as feature, your program is now obligated to be APF
>> authorized, which just as many clients would like to see avoided if
>> possible.
>>
>>  So, to answer your question directly, you cannot use the run-as feature
>> in problem state.  You *can* execute the commands under a SPECIAL user ID
>> by running the started task under a SPECIAL user ID and calling R-admin
>> in
>> problem state without the run-as option.  SETROPTS SAUDIT can be used to
>> make sure all the RACF commands are logged (I imagine everyone has this
>> enabled), and the FACILITY authorization checks will also occur, for what
>> that's worth (the 'logging in depth' of the FACILITY access does not seem
>> all that valuable to me, and presumably the started task user cannot be
>> denied access to any of the resources and still properly function).  And
>> now you're back where you started ;-)
>>
>>  Perhaps the "security concerns" you mentioned are really "security
>> (mis)perceptions"?
>>
>>  I would be interested in opinions from the Real World, however.
>>
>>  Regards,
>>       Bruce R. Wells, CISSP
>>       z/OS Security Server Design and Development
>>       Phone: Tie 8-295-7498  External: (845) 435-7498
>>       Internet: brwells@us.ibm.com
>>       Poughkeepsie, NY  USA
>>
>
>
> --
>
>
>
> *IDMWORKS *
>
> Scott Ford
>
> z/OS Dev.
>
>
>
>
> "By elevating a friend or Collegue you elevate yourself, by demeaning a
> friend or collegue you demean yourself"
>
>
>
> www.idmworks.com
>
> scott.ford@idmworks.com
>
> Blog: www.idmworks.com/blog
>
>
>
>
>
> *The information contained in this email message and any attachment may be
> privileged, confidential, proprietary or otherwise protected from
> disclosure. If the reader of this message is not the intended recipient,
> you are hereby notified that any dissemination, distribution, copying or
> use of this message and any attachment is strictly prohibited. If you have
> received this message in error, please notify us immediately by replying to
> the message and permanently delete it from your computer and destroy any
> printout thereof.*
>


-- 



*IDMWORKS *

Scott Ford

z/OS Dev.




"By elevating a friend or Collegue you elevate yourself, by demeaning a
friend or collegue you demean yourself"



www.idmworks.com

scott.ford@idmworks.com

Blog: www.idmworks.com/blog





*The information contained in this email message and any attachment may be
privileged, confidential, proprietary or otherwise protected from
disclosure. If the reader of this message is not the intended recipient,
you are hereby notified that any dissemination, distribution, copying or
use of this message and any attachment is strictly prohibited. If you have
received this message in error, please notify us immediately by replying to
the message and permanently delete it from your computer and destroy any
printout thereof.*
[prev in list] [next in list] [prev in thread] [next in thread]